b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n\n  PERFORMANCE INDICATOR AUDIT:\n       CLAIMS PROCESSING\n\n\n   October 2005    A-15-05-15114\n\n\n\n\n AUDIT REPORT\n\x0c                                     Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                    Authority\n\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\n\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                     SOCIAL SECURITY\nMEMORANDUM\n\nDate:   October 27, 2005                                          Refer To: ICN 35300-23-741\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Performance Indicator Audit: Claims Processing (A-15-05-15114)\n\n\n\n        We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the Social\n        Security Administration\xe2\x80\x99s (SSA) performance indicators established to comply with the\n        Government Performance and Results Act. The attached final report presents the\n        results of one of the performance indicators PwC reviewed. For the performance\n        indicators included in this audit, PwC\xe2\x80\x99s objectives were to:\n           \xe2\x80\xa2   Assess the effectiveness of internal controls and test critical controls over the data\n               generation, calculation, and reporting processes for the specific performance\n               indicator.\n           \xe2\x80\xa2   Assess the overall reliability of the performance indicator\xe2\x80\x99s computer processed\n               data. Data are reliable when they are complete, accurate, consistent and are not\n               subject to inappropriate alteration.\n           \xe2\x80\xa2   Test the accuracy of results presented and disclosed in the Fiscal Year 2004\n               Performance and Accountability Report.\n           \xe2\x80\xa2   Assess if the performance indicator provides a meaningful measurement of the\n               program it measures and the achievement of its stated objective.\n\n        This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Number of initial disability claims pending.\n           \xe2\x80\xa2   Retirement and Survivors Insurance claims processed.\n           \xe2\x80\xa2   Percent of Supplemental Security Income aged claims processed by the time the\n               first payment is due or within 14 days of the effective filing date.\n\x0cPlease provide within 60 days a corrective action plan that addresses each\nrecommendation. If you wish to discuss the final report, please call me or have your\nstaff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\nAttachment\n\x0cMEMORANDUM\n\nDate:     October 12, 2005\n\nTo:       Inspector General\n\nFrom:     PricewaterhouseCoopers, LLP\n\nSubject: Performance Indicator Audit: Claims Processing (A-15-05-15114)\n\nOBJECTIVE\nThe Government Performance and Results Act (GPRA)1 of 1993 requires the Social\nSecurity Administration (SSA) to develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity.2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance.3\n\nTo enhance the practical use of performance information, the Office of Management\nand Budget (OMB), in collaboration with other Federal agencies, developed the\nProgram Assessment Rating Tool (PART), comprised of assessment criteria on\nprogram performance and management. The PART establishes a high, "good\ngovernment" standard of performance and will be used to rate programs in an open,\npublic fashion.4\n\nOur audit was conducted in accordance with generally accepted government auditing\nstandards for performance audits. For the performance indicators included in this audit,\nour objectives were to:\n          1. Assess the effectiveness of internal controls and test critical controls over the\n             data generation, calculation, and reporting processes for the specific\n             performance indicator.\n\n\n1\n Public Law Number 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 United States\nCode (U.S.C.), 31 U.S.C. and 39 U.S.C.).\n2\n    31 U.S.C. \xc2\xa7 1115(a)(4).\n3\n    31 U.S.C. \xc2\xa7 1115(a)(6).\n4\n http://www.whitehouse.gov/omb/budintegration/part_assessing2004.html. In this report, the PART\nMeasure results apply to the indicator \xe2\x80\x9cPercent of SSI Aged claims processed by the time the first\npayment is due or within 14 days of the effective filing date.\xe2\x80\x9d This indicator was reported as a non-GPRA\nPART performance measure in the Social Security Administration Performance and Accountability Report\nFiscal Year 2004, p. 120.\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                          1\n\x0c          2. Assess the overall reliability of the performance indicator\xe2\x80\x99s computer\n             processed data. Data are reliable when they are complete, accurate,\n             consistent and are not subject to inappropriate alteration.5\n\n          3. Test the accuracy of results presented and disclosed in the\n             Fiscal Year (FY) 2004 Performance and Accountability Report (PAR).\n\n          4. Assess if the performance indicator provides a meaningful measurement of\n             the program it measures and the achievement of its stated objective.\n\nBACKGROUND\nWe audited the following performance indicators as stated in the SSA FY 2004 PAR:\n\nPerformance Indicator                        FY 2004 Goal              FY 2004 Reported\n                                                                            Results\nNumber of Initial Disability\n                                                582,000                       624,658\nClaims Pending\nRetirement and Survivors\nInsurance (RSI) Claims                         3,285,000                     3,399,471\nProcessed\nPercent of Supplemental\nSecurity Income (SSI) Aged\nClaims Processed by the\n                                                  75%                          84.1%\nTime the First Payment is\nDue or within 14 Days of\nthe Effective Filing Date\n\nSSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI),\nand the Supplemental Security Income (SSI) programs. The OASI program, authorized\nby Title II of the Social Security Act, provides income for eligible workers and for eligible\nmembers of their families and survivors.6 The DI program, also authorized by Title II of\nthe Social Security Act, provides income for eligible workers with qualifying disabilities\nand for eligible members of their families before those workers reach retirement age.7\nThe SSI Program, authorized by Title XVI of the Social Security Act, was designed as a\nneeds-based program to provide or supplement the income of aged, blind, and/or\ndisabled individuals with limited income and resources.8\n\n\n5\n    GAO-03-273G Assessing Reliability of Computer Processed Data, October 2002, p. 3.\n6\n    The Social Security Act \xc2\xa7\xc2\xa7 201-234, 42 U.S.C. \xc2\xa7\xc2\xa7 401-434.\n7\n    Id.\n8\n    The Social Security Act \xc2\xa7\xc2\xa7 1601-1637, 42 U.S.C. \xc2\xa7\xc2\xa7 1381-1383f.\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                              2\n\x0cTo determine eligibility for both Title II and Title XVI programs, the applicant must first\nfile a claim with SSA. This is typically accomplished through an appointment or walk-in\nvisit to one of SSA\xe2\x80\x99s approximately 1,300 field offices (FO). Interviews are conducted\nby field office personnel with the applicants via the telephone or in person to determine\nthe applicant\xe2\x80\x99s non-medical eligibility. If the applicant is filing for benefits based on\ndisability, basic medical information concerning the disability, medical treatments, and\nidentification of treating sources is obtained.\n\nField office personnel input the applicant\xe2\x80\x99s information into the Modernized Claims\nSystem (MCS) for OASI and DI claims or the Modernized SSI Claims System (MSSICS)\nfor SSI claims. A relatively minor number of OASI and DI claims are input through the\nSSA Claims Control System (SSACCS). The SSACCS is used to process claims that\ncannot be processed through MCS. A favorable or unfavorable determination on the\nreceipt of benefits is made on the OASI and non-disability SSI claims. DI and SSI\ndisability claims are sent to the State Disability Determination Services (DDS) office for\nthe review of medical information and determination of the receipt of benefits.\n\nRESULTS OF REVIEW\nOur assessment of internal controls identified the following issues in at least one of the\nthree performance indicators reviewed. The internal controls and data reliability issues\nincluded insufficient documentation to describe the performance indicator process:\n\n   \xe2\x80\xa2   detailed data used to calculate the performance indicator was not maintained,\n\n   \xe2\x80\xa2   an audit trail for transactions processed through the SSACCS application was not\n       created or reviewed,\n\n   \xe2\x80\xa2   SSA programmers had system access that would allow them to change the\n       performance indicator data, and\n\n   \xe2\x80\xa2   weaknesses were found in the configuration of the Title XVI Datawarehouse\n       UNIX system and Oracle database that contains data used to calculate the\n       performance indicator results.\n\nWe noted an issue regarding the accuracy of the PAR presentation and disclosure that\nincluded inaccurate performance trend information reported in the PAR. We also found\nthat one performance indicator was not clearly linked to SSA\xe2\x80\x99s strategic objectives.\n\nNumber of Initial Disability Claims Pending\n\nIndicator Background\n\nThe performance indicator measures the number of DI and SSI disability initial claims\nthat have not been reviewed by the DDS. The DDS is responsible for determining the\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                3\n\x0cstatus of a claimant\xe2\x80\x99s disability and ensuring that adequate evidence is available to\nsupport the determination. Upon determining that an applicant has met the non-medical\neligibility requirements, SSA sends the DI and SSI initial claims file to the DDS. When a\nclaim determination is made by the DDS, the status is entered into the National\nDisability Determination Services System (NDDSS) as completed. If the DDS has\nnot completed its review, the status of the claim is pending in the NDDSS. The data\nwithin NDDSS is automatically transferred to the Disability Operational Datastore\n(DIODS). The total number of pending initial disability claims are reported as of\nSeptember 24, 2004 on the State Agency Operations Report (SAOR). Refer to the\nformula below.\n\n\n                                               Total Workloads of Initial\nTotal Claims Pending for Title II and\n                                          =    Closed Pending Claims as of\n             Title XVI\n                                               September 24, 2004\n\n\nFindings\n\nThe DIODS data used to classify the initial disability claims as pending was not archived\nand maintained in accordance with OMB Circular A-123, Management Accountability\nand Control, Attachment II, Establishing Management Controls. SSA management\nstated that the detailed data was not maintained due to limited data storage space and\nlack of personnel resources. We were able to recalculate the indicator using summary\ndata from DIODS, but we could not verify the accuracy of the summary data.\n\nAn audit trail for transactions processed through the SSACCS is not produced or\nreviewed. Therefore, transaction data may be altered or lost during input, resulting in\npotentially incorrect or inconsistent data being accepted as valid for processing.\n\nAs a result of these issues, PwC was unable to validate the accuracy of the reported\nindicator results and could not consider the data to be reliable.\n\nWe did not identify any significant exceptions related to the disclosure of the information\nrelated to this indicator contained in the PAR, or to the meaningfulness of this indicator.\n\nRetirement and Survivors Insurance Claims Processed\n\nIndicator Background\n\nThe performance indicator measures the retirement (old-age), survivors, auxiliaries\n(dependents of the retirees) and totalization (claims by eligible individuals who have\nearned work credit overseas) claims processed. Processed RSI claims include claims\nthat have received a favorable or unfavorable determination on benefits.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                            4\n\x0cThe Title II Operational Datastore (TII ODS) calculates the total number of RSI claims\nprocessed based on the fields for wage earners and dependents in the Retirement,\nSurvivors and Insurance Trust Fund and provides the result to the Integrated Work\nManagement System (IWMS). On a monthly basis, an SSA analyst queries IWMS for\nthe retirement, survivors, auxiliaries and totalization claims processed and sums these\ncategories to obtain the final indicator count.\n\n\n\n                                                       Total RSI Claims processed for the\n       Total RSI Claims Processed               =      period of October 1, 2003 to\n                                                       September 24, 2004\n\n\nFindings\n\nInternal Controls and Data Reliability\n\nSSA had not documented policies and procedures related to the formal process to\ncollect, review and make available the performance indicator data to Agency\nmanagement.9 Documentation describing the automated and manual controls involved\nin the calculation and reporting of the performance indicator did not exist. OMB Circular\nA-123, Management Accountability and Control, requires, \xe2\x80\x9c\xe2\x80\xa6documentation for\ntransactions, management controls, and other significant events must be clear and\nreadily available for examination.\xe2\x80\x9d10\n\nWe tested the IWMS datasets used to calculate the indicator and found that a total of\nfive SSA programmers had the "All" access designation within the Top Secret security\nsoftware to these datasets. This level of access allows users to create, delete and\nmodify any of the data (or datasets) contained within the datasets we reviewed. This\nlevel of access prevents SSA from ensuring the integrity of this production data. By\nallowing programmers to have the "All" access designation, SSA is not conforming to\nthe OMB Circular A-130 Appendix III, Security of Federal Automated Information\nResources, principles of "least privileged access" or segregation of duties.11 While we\nwere able to recalculate the indicator results, as a result of this issue, we could not\nconsider the data to be reliable.\n\nAn audit trail for transactions processed through the SSACCS is not produced or\nreviewed. Therefore, transaction data may be altered or lost during input, resulting in\npotentially incorrect or inconsistent data being accepted as valid for processing. As a\n9\n After the completion of fieldwork, SSA provided PwC with documented policies and procedures for the\nperformance indicator.\n10\n     OMB Circular A -123, Appendix II, Establishing Management Controls, June 21, 1995.\n11\n   SSA is currently implementing the Standardized Security Profile Project to address the principle of\n\xe2\x80\x9cleast privileged access\xe2\x80\x9d for users with access to mainframe datasets.\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                           5\n\x0cresult of the lack of an audit trail, we were unable to conclude on the accuracy of the\ndata reported in the PAR.\n\nAccuracy of PAR Presentation and Disclosure\n\nThe performance trend in the PAR, \xe2\x80\x9cAgency performance this fiscal year is slightly\nabove FYs 2001 and 2003 but slightly below FY 2002,\xe2\x80\x9d12 was not accurately disclosed.\nThe reported FY 2004 results were actually slightly above the FY 2002 results.\n\nPerformance Indicator Meaningfulness\n\nThe linkage between the performance indicator and the SSA\xe2\x80\x99s strategic objective\n"Improve service with technology"13 was not apparent. The indicator measured the total\nnumber of retirement and survivors insurance claims processed. While the noted\nimprovements are relevant to the objective, the enabling technology improvements,\ne.g., the use of the Internet or investments in technology, were not identified in the\ndisclosure, nor were the claims processing improvements related to levels of effort or\ncost.\n\nPercent of Supplemental Security Income Aged Claims Processed by the Time\nthe First Payment is Due or within 14 Days of the Effective Filing Date\n\nIndicator Background\n\nThis performance indicator was reported as a non-GPRA PART performance indicator\nin the FY 2004 PAR. The performance indicator measures SSI aged claims that are\nprocessed by the time the first payment is due or within 14 days of the effective filing\ndate and compares it to the total number of SSI aged claims processed. Refer to the\nfollowing formula.\n\n\n\n\n12\n     Social Security Administration Performance and Accountability Report Fiscal Year 2004, p. 97.\n13\n     Social Security Administration Performance and Accountability Report Fiscal Year 2004, p. 96.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                       6\n\x0c                                                        (SSI Aged Claims Processed by the\n                                                        Time the First Payment is Due) +\n     % of SSI Aged Claims Processed                     (SSI Aged Claims Processed within\n     by the Time the First Payment is            =      14 Days)14\n          Due or within 14 Days                         ____________________________\n\n                                                        Total SSI Aged Claims Processed\n\n\n\nThe Title XVI Operational Datastore (TXVI ODS) receives the date of the favorable or\nunfavorable determination of the SSI aged claims as well as the application date and\npayment date. This data is collected from the TXVI ODS by the Title XVI\nDatawarehouse and SSI Processing Time (SSIPT) system. The Title XVI\nDatawarehouse calculates the indicator. The results are posted to the SSA Intranet on\nan annual basis.\n\nFindings\n\nInternal Controls and Data Reliability\n\nSSA had not documented policies and procedures related to the formal process to\ncollect, review and make available the performance indicator data to Agency\nmanagement.15 Documentation describing the automated and manual controls involved\nin the calculation and reporting of the performance indicator did not exist. OMB Circular\nA-123, Management Accountability and Control, requires, \xe2\x80\x9c\xe2\x80\xa6documentation for\ntransactions, management controls, and other significant events must be clear and\nreadily available for examination.\xe2\x80\x9d16\n\nWe tested the Title XVI ODS datasets used to calculate the indicator and found that a\ntotal of three SSA programmers had the "All" access designation within the Top Secret\nsecurity software to these datasets. This level of access allows users to create, delete\nand modify any of the data (or datasets) contained within the datasets we reviewed.\nThis level of access prevents SSA from ensuring the integrity of this production data.\nBy allowing programmers to have the "All" access designation, SSA is not conforming to\n\n14\n   This rate reflects the number of SSI Aged applications completed through the SSA operational system\n(i.e., award or denial notices are triggered) before the first regular continuing payment is due or not more\nthan 14 days from the effective filing date, if later, divided by the total number of SSI Aged applications\nprocessed. The first regular continuing payment date is based on the first day of the month that all\neligibility factors are met and payment is due. (Social Security Administration Performance and\nAccountability Report Fiscal Year 2004, p. 120.)\n15\n  After the completion of fieldwork, SSA provided PwC with documented policies and procedures for the\nperformance indicator.\n16\n     OMB Circular A -123, Appendix II, Establishing Management Controls, June 21, 1995.\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                                 7\n\x0cOMB A-130 Appendix III, Security of Federal Automated Information Resources,\nprinciples of "least privileged access" or segregation of duties.17\n\nOur review of the Title XVI Datawarehouse UNIX system and Oracle database identified\nseven security and compliance exceptions. This review was conducted against the\nSSA developed UNIX Risk Model configuration standard, National Institute of Standards\nand Technology (NIST) guidelines that include 5153 Section 3.2.2 and 800-18 Section\n6.MA.2, and the Defense Information Security Agency (DISA) Security Technical\nImplementation Guides (STIGS) Security Checklist version 4R4, Section 3.8.1. We\nidentified two exceptions to the requirements of the SSA UNIX Risk Model and three\nexceptions to the existing government guidelines from NIST and the DISA UNIX\nSecurity Checklist version 4R4. During our review of the Oracle database, we were\ninformed by SSA management that SSA has not developed a configuration standard\n(risk model) for the Oracle database environment.18 We identified one exception to the\nrequirements of the SSA Security Handbook.\n\nWhile we were able to recalculate the indicator results, as a result of these security\nissues, the data used to calculate this performance indicator could not be considered\nreliable.\n\nCONCLUSION AND RECOMMENDATIONS\nSpecific to the performance indicator, \xe2\x80\x9cNumber of Initial Disability Claims Pending,\xe2\x80\x9d we\nrecommend SSA:\n\n     1. Maintain the detailed data used to calculate the performance indicator results\n        that are reported in the PAR.\n\nSpecific to the performance indicator, \xe2\x80\x9cRSI Claims Processed,\xe2\x80\x9d we recommend SSA:\n\n     2. Clearly articulate a direct linkage of the performance indicator to the Agency\xe2\x80\x99s\n        strategic goals and objectives in the PAR. If possible, include claims processed\n        from internet or a description of technology investments that support the strategic\n        objective. If this cannot be done, SSA should disclose the reason why this\n        indicator is linked to the relevant strategic goal and objective.\n\n\n\n\n17\n   SSA is currently implementing the Standardized Security Profile Project to address the principle of\n\xe2\x80\x9cleast privileged access\xe2\x80\x9d for users with access to mainframe datasets.\n18\n  After the completion of fieldwork, SSA provided PwC with the configuration standard (risk model) for\nthe Oracle database environment.\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                           8\n\x0cSpecific to the performance indicators, \xe2\x80\x9cNumber of Initial Disability Claims Pending\xe2\x80\x9d and\n\xe2\x80\x9cRSI Claims Processed,\xe2\x80\x9d we recommend SSA:\n\n   3. Maintain an audit trail for SSACCS that captures the user ID, terminal, date and\n      time the transaction was processed. Policies and procedures should be\n      implemented requiring a review of the audit trail for inappropriate access or\n      processing of transactions.\n\nSpecific to the performance indicator, \xe2\x80\x9cPercent of SSI Aged Claims Processed by the\nTime the First Payment is Due or within 14 Days of the Effective Filing Date,\xe2\x80\x9d we\nrecommend SSA:\n\n   4. Ensure that the Title XVI Datawarehouse UNIX system is configured to be in\n      compliance with the SSA Risk Model and government guidelines from NIST and\n      DISA. Ensure that the Title XVI Datawarehouse Oracle database is configured to\n      be in compliance with the SSA Security Handbook. Ensure the risk model for the\n      Oracle database is kept current with the SSA Security Handbook and\n      Government guidelines.\n\nSpecific to the performance indicators, \xe2\x80\x9cRSI Claims Processed\xe2\x80\x9d and \xe2\x80\x9cPercent of SSI\nAged Claims Processed by the Time the First Payment is Due or within 14 Days of the\nEffective Filing Date,\xe2\x80\x9d we recommend SSA:\n\n   5. Maintain documentation that describes how the performance indicator goals were\n      established, document the policies and procedures used to prepare and report\n      the results of the performance indicators, and keep a complete audit trail.\n\n   6. Ensure that the \xe2\x80\x9cleast privileged access\xe2\x80\x9d principle is in place for SSA personnel\n      that have the ability to directly modify, create or delete the datasets used to\n      calculate the results of this indicator.\n\nAGENCY COMMENTS\nSSA agreed with three recommendations, partially agreed with one recommendation,\nand disagreed with two recommendations. For recommendation 1, SSA disagreed and\nstated that system capacity and limited resources would prevent them from full\nimplementation of this recommendation. For recommendation 3, SSA disagreed and\nstated that SSACCS is only a secondary source for claims processing data and will be\nphased out. Therefore, SSA does not believe it would be cost-effective to invest\nresources in providing an audit trail for this system. For recommendation 4, SSA stated\nthat it agreed with the intent of the recommendation, but not its breadth. Specifically,\nSSA stated that NIST and DISA guidelines are not always applicable, and therefore not\nadopted. The full text of SSA\xe2\x80\x99s comments can be found in Appendix D.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                            9\n\x0cPWC RESPONSE\nIn response to comments regarding recommendation 1, one of the objectives of the\nGPRA audit is to ensure the accuracy of results reported in the PAR for each of the\nindicators under audit. We are willing to discuss any alternate methods the Agency is\nconsidering to ensure that the indicator results are auditable. However, SSA is\nresponsible for meeting the requirements of OMB Circular A-123, Management\nAccountability and Control, which states, "\xe2\x80\xa6documentation for transactions,\nmanagement controls, and other significant events must be clear and readily available\nfor examination."19 In addition, although PwC was able to recalculate the results using\nsummary data from DIODS, we could not consider the data to be reliable as the\nGovernment Accountability Office defines reliability in Assessing the Reliability of\nComputer-Processed Data (October 2002) as:\n\n      \xe2\x80\xa2   Data are reliable when they are (1) complete (they contain all of the data\n          elements and records needed for the engagement) and (2) accurate (they reflect\n          the data entered at the source or, if available, in the source documents).\n\nFor recommendation 3, PwC has not been provided any documentation detailing the\ntimeframe for the "phase out" of SSACCS. As such, PwC continues to recommend that\nSSA maintain an audit trail for SSACCS since this data is used for calculation of the\nindicator results.\n\nIn response to comments on recommendation 4, we continue to recommend that SSA\nensure that the Title XVI Datawarehouse UNIX system is configured to be in compliance\nwith the SSA Risk Model and Government guidelines from NIST and DISA. Where SSA\nbelieves NIST and DISA guidelines are not applicable to its system environment, SSA\nshould document the specific circumstances that preclude them from implementation.\n\n\n\n\n19\n     OMB Circular A-123, Appendix II, Establishing Management Controls, June 21, 1995.\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                           10\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)\n\x0c                                                                    Appendix A\nAcronyms\n DDS                  Disability Determination Service\n DI                   Disability Insurance\n DIODS                Disability Operational Datastore\n DISA                 Defense Information Security Agency\n FO                   Field Office\n FY                   Fiscal Year\n GPRA                 Government Performance and Results Act\n IWMS                 Integrated Work Management System\n MCS                  Modernized Claims System\n MSSICS               Modernized Supplemental Security Income System\n NDDSS                National Disability Determination Service System\n NIST                 National Institute of Standards and Technology\n OASI                 Old-Age and Survivors Insurance\n OMB                  Office of Management and Budget\n PAR                  Performance and Accountability Report\n PART                 Program Assessment Rating Tool\n RSI                  Retirement and Survivors Insurance\n SAOR                 State Agency Operations Report\n SSA                  Social Security Administration\n SSACCS               Social Security Administration Claims Control System\n SSI                  Supplemental Security Income\n SSIPT                Social Security Income Processing Time\n STIGS                Security Technical Implementation Guides\n TII ODS              Title II Operational Datastore\n TXVI ODS             Title XVI Operational Datastore\n U.S.C.               United States Code\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)\n\x0c                                                                  Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was\ncompleted through research and inquiry of SSA management. We also\nrequested SSA to provide various documents regarding the specific programs\nbeing measured as well as the specific measurement used to assess the\neffectiveness and efficiency of the related program.\n\nThrough inquiry, observation, and other substantive testing, including testing of\nsource documentation, we performed the following:\n\n   \xe2\x80\xa2   Reviewed prior SSA, Government Accountability Office, Office of the\n       Inspector General and other reports related to SSA\xe2\x80\x99s GPRA performance\n       and related information systems.\n   \xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of\n       the performance indicators.\n   \xe2\x80\xa2   Flowcharted the processes. (See Appendix C).\n   \xe2\x80\xa2   Tested key controls related to manual or basic computerized processes\n       (e.g., spreadsheets, databases, etc.).\n   \xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls\n       within and surrounding each of the critical applications to determine\n       whether the tested controls were adequate to provide and maintain\n       reliable data to be used when measuring the specific indicator.\n   \xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element\n       or source document.\n   \xe2\x80\xa2   Recalculated the metric or algorithm of key performance indicators to\n       ensure mathematical accuracy.\n   \xe2\x80\xa2   For those indicators with results that SSA determined using computerized\n       data, we assessed the completeness and accuracy of that data to\n       determine the data\'s reliability as it pertains to the objectives of the audit.\n\nAs part of this audit, we documented our understanding, as conveyed to us by\nAgency personnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives,\nprocesses, and related performance indicators. We analyzed how these\nprocesses interacted with related processes within SSA and the existing\nmeasurement systems. Our understanding of the Agency\xe2\x80\x99s mission, goals,\nobjectives, and processes were used to determine if the performance indicators\nappear to be valid and appropriate given our understanding of SSA\xe2\x80\x99s mission,\ngoals, objectives and processes.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                     B-1\n\x0cWe followed all performance audit standards in accordance with generally\naccepted government auditing standards. In addition to the steps above, we\nspecifically performed the following to test the indicators included in this report:\n\nNUMBER OF INITIAL DISABILITY CLAIMS PENDING\n\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas:\n          9 Competed application control reviews over Disability Operational\n              Datastore (DIODS).\n   \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to\n       calculate the initial disability claims pending.\n\nRETIREMENT AND SURVIVORS INSURANCE (RSI) PROCESSED\n\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas:\n          9 Completed application control review over Title II Operational\n              Datastore (TII ODS) and Integrated Work Management System\n              (IWMS).\n   \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to\n       calculate the RSI processed.\n   \xe2\x80\xa2   Recalculated the RSI processed for the Fiscal Year (FY) 2004 and\n       compared it to the RSI processed for the year.\n\nPERCENT OF SUPPLEMENTAL SECURITY INCOME (SSI) AGED\nCLAIMS PROCESSED BY THE TIME THE FIRST PAYMENT IS\nDUE OR WITHIN 14 DAYS OF THE EFFECTIVE FILING DATE\n\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas:\n          9 Completed application control reviews over the Title XVI\n              Operational Datastore (TXVI ODS) and Title XVI Datawarehouse.\n          9 Completed reviews for the Title XVI ODS and Title XVI\n              Datawarehouse UNIX system and ORACLE database.\n   \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to\n       calculate the indicator.\n   \xe2\x80\xa2   Recalculated the indicator for the FY 2004 and compared it to the number\n       reported in the Performance Accountability Report.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                     B-2\n\x0c                                                                                                                                                                                 Appendix C\n\nNumber of Initial Disability Claims Pending\n2004 Process Flowchart\n                         Claimant contacts\n                                                                                              FO interviews\n                           SSA via Field                                                                                  Is claimant\n                                                                                               claimant via\n                          Office (FO) visit,            Can the FO                                                    potentially eligible                 Does claimant\n                                                                                             teleclaim or in-                                 No                                 No         STOP\n      START              mail, or phone call        personnel interview        Yes                                     for Title II and/or                 insist on filing?\n                                                                                          office appointment,\n                           to FO or Tele-           the claimant today?                                                    Title XVI?\n                                                                                          first verifying non-\n                          Service Center\n                                                                                            medical issues.\n                               (TSC).\n\n\n                                                            No\n\n                                                                                                                                                    Yes\n                                                     Set up a teleclaim\n                                                        or in-office\n                                                       appointment.\n\n\n\n\n                                                                                        Yes\n\n                                                                                                                                If possible, make\n  Complete Disability Insurance (DI) application\n                                                                                                                                  and enter non-\n forms using Modernized Claims System (MCS)                                                          Determine                                                       Is this a\n                                                                  Review non-                                                   medical decision\n  or Modernized Supplemental Security Income                                                       effective filing                                                 technical         Yes   Claim is denied.\n                                                                 medical issues.                                                   into MCS or\n    Claims Systems (MSSICS) or SSA Claims                                                              date.                                                         denial?\n                                                                                                                                    MSSICS or\n          Control Systems (SSACCS).\n                                                                                                                                    SSACCS.\n\n                                                                                   No\n\n\n                               National Disability\n                                                                                                            DIODS counts the number                          Staff reviews\n                         Determination Services System           NDDSS interfaces with                                                                                                      Year-end SAOR\n Create medical                                                                                               of pending claims on a                       weekly SAOR to\n                                   (NDDSS)                        Disability Operational                                                                                                      number is\n folder with form                                                                                           weekly basis per the State                    identify anomalies\n                          receives claimant information          Datastore (DIODS) to                                                                                                       recorded in the\n    SSA-831.                                                                                                Agency Operations Report                         and corrects\n                            from MCS or MSSICS or             provide pending claims data.                                                                                                       PAR.\n                                                                                                                     (SAOR).                                    errors.\n                                   SSACCS.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                                                                                                                           C-1\n\x0c2004 Process Flowchart Narrative\nNumber of Initial Disability Claims Pending\n   \xe2\x80\xa2   Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO\n       or TSC.\n   \xe2\x80\xa2   If the FO or TSC can interview the claimant, the FO or TSC will verify non-\n       medical factors.\n   \xe2\x80\xa2   If the FO or TSC is not available to interview the claimant, the FO or TSC will set\n       up an in-office or telephone interview.\n   \xe2\x80\xa2   During the interview, the FO personnel\xe2\x80\x99s review determines if the claimant is\n       eligible for Title II and/or Title XVI benefits. If the claimant does not qualify for\n       Title II and/or Title XVI benefits, the claimant can continue or stop the filing of the\n       application.\n   \xe2\x80\xa2   Claimants that are eligible for Title II or Title XVI benefits complete the\n       application form. The FO personnel enter the Title II application into MCS or\n       SSACCS. The FO personnel enter the Title XVI application into MSSICS.\n   \xe2\x80\xa2   The FO personnel review non-medical issues and determine the claimant\xe2\x80\x99s\n       effective filing date.\n   \xe2\x80\xa2   If the determination is a technical denial, the FO personnel will enter the decision.\n   \xe2\x80\xa2   If the determination is not a technical denial, a medical folder is created for the\n       claimant and sent to the State Disability Determination Services (DDS) for the\n       review of medical factors and determination of receipt of benefits.\n   \xe2\x80\xa2   NDDSS receives the claimant\xe2\x80\x99s data from MCS, SSACCS and MSSICS.\n   \xe2\x80\xa2   NDDSS provides the total number of pending disability claims to the DIODS.\n   \xe2\x80\xa2   DIODS produces the pending disability claims count on a weekly basis on the\n       SAOR.\n   \xe2\x80\xa2   The DDS staff analyzes the SAOR report to identify anomalies and corrects\n       errors, if applicable.\n   \xe2\x80\xa2   The year-end SAOR report produces the indicator results on the PAR.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                             C-2\n\x0cRSI Claims Processed\n2004 Process Flowchart\n                                                                                     FO interview s\n                                                    C an FO\n                      C laim ant contacts                                             claim ant via\n                                                   personnel                                                  Is claim ant\n                      SSA via FO visit,                                             teleclaim or in-                                              D oes claim ant\n      STAR T                                     interview the        Yes                                  potentially eligible         No                            No           STO P\n                      m ail, or phone call                                      office appointm ent,                                              insist on filing?\n                                                    claim ant                                                 for Title II ?\n                         to FO or TSC .                                          first verifying non-\n                                                     today?\n                                                                                   m edical issues.\n\n\n                                                      No                                                                          Yes\n\n\n\n                                               Set up a teleclaim\n                                                   or in-office\n                                                 appointm ent.\n\n\n\n                                                                     Yes\n\n\n                                                           Verify claim ant                     Verify claim ant earnings                 M C S Front End\n     C om plete\n                             D eterm ine                      identity by                        by accessing Earnings                     perform s edit             M C S interfaces to the\n application form s\n                           effective filing                   accessing                            R etirem ent C laim s                checks & provides              W ork M anagem ent\n   using M CS or\n                                date.                      N U M ID EN T (via                     System (ER M S) (via                   initial entitlem ent            System (W M S).\n paper application.\n                                                                M C S).                                   M CS).                              decision.\n\n\n\n\n Paper application\n  interfaces to TII\n      O D S (via\n     SSAC C S).\n\n\n\n                                                                                                                                            R SI claim s\n                                                           Staff retrieves                            Staff reviews                     processed num ber\nW M S interfaces to      IW M S receives                reports w ith claim s                         G ETW O R K                         is recorded on\n     TII O D S.         data from TII O D S.             inform ation from                             reports for                             PAR\n                                                            G ETW O R K.                            inconsistencies.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                                                                                                                  C-3\n\x0c2004 Process Flowchart Narrative\nRetirement and Survivors Insurance Claims Processed\n   \xe2\x80\xa2   Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO\n       or TSC.\n   \xe2\x80\xa2   If the FO or TSC can interview the claimant, the FO or TSC will verify non-\n       medical factors.\n   \xe2\x80\xa2   If the FO or TSC is not available to interview the claimant, the FO or TSC will set\n       up an in-office or telephone interview.\n   \xe2\x80\xa2   During the interview, the FO personnel\xe2\x80\x99s review determines if the claimant is\n       eligible for Title II benefits. If the claimant does not qualify for Title II benefits, the\n       claimant can continue or stop the filing of the application.\n   \xe2\x80\xa2   Claimants that are eligible for Title II benefits complete the application form. The\n       FO personnel enter the Title II application into MCS or SSACCS.\n   \xe2\x80\xa2   The FO personnel\xe2\x80\x99s review determines the claimant\xe2\x80\x99s effective filing date, verifies\n       the claimant\xe2\x80\x99s identify via the Numident and verifies the claimant\xe2\x80\x99s earnings via\n       the Earnings Retirement Claims System.\n   \xe2\x80\xa2   MCS performs edit checks and provides an initial entitlement decision.\n   \xe2\x80\xa2   MCS interfaces with the WMS to provide the RSI processed claims data.\n   \xe2\x80\xa2   SSACCS and WMD interface with the TII ODS to provide the RSI processed\n       claims data.\n   \xe2\x80\xa2   IWMS received data from the TII ODS. The SSA staff retrieves the RSI\n       processed claims data from the GETWORK module of IWMS.\n   \xe2\x80\xa2   The SSA staff reviews the GETWORK report for errors and inconsistencies.\n   \xe2\x80\xa2   The final indicator number is reported in the PAR.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                C-4\n\x0cPercent of SSI Aged Claims Processed by the Time the First\nPayment is Due or within 14 Days of the Effective Filing Date\n2004 Process Flowchart\n                                                                                       FO interviews\n                                                        Can FO\n                       Claim ant contacts                                               claim ant via           Is claim ant\n                                                       personnel                                                                              Does claimant\n                       SSA via FO visit,                                              teleclaim or in-          potentially                                      No   STOP\n     START                                           interview the       Yes                                                            No   insist on filing?\n                       m ail, or phone call                                       office appointment,        eligible for Title\n                                                        claimant\n                         to FO or TSC.                                             first verifying non-            XVI?\n                                                         today?\n                                                                                     medical issues.\n\n                                                          No                                                                      Yes\n\n\n\n                                                  Set up a teleclaim\n                                                      or in-office\n                                                    appointm ent.\n\n\n                                                                       Yes\n\n\n                                                               Verify claim ant\n       Com plete                 Determ ine                      identity by\n                                                                                                  CR adjudicates                   SSI Exception\n   application forms           effective filing                  accessing\n                                                                                                   application.                   Controls System.\n    using MSSICS.                  date.                       NUM IDENT via\n                                                                  M SSICS.\n\n\n\n\n                             Data W arehouse/SSI                                                           Num ber pulled\n    Information on                                                  Staff retrieves report\n                                Processing Time                                                            from Intranet is\n         claim s                                                   from the M anagement\n                             (SSIPT) are updated                                                           recorded in the\n     processed is                                                 Information Central web\n                             with sum mary data on                                                              PAR.\n     stored in the                                                 application on the SSA\n                                SSI Aged claims\n    Title XVI ODS.                                                         Intranet.\n                                   processed.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                                                                                                               C-5\n\x0c2004 Process Flowchart Narrative\nPercent of SSI Aged Claims Processed by the Time the First Payment is Due or\nwithin14 Days of the Effective Filing Date\n\n   \xe2\x80\xa2   Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO\n       or TSC.\n   \xe2\x80\xa2   If the FO or TSC can interview the claimant, the FO or TSC will verify non-\n       medical factors.\n   \xe2\x80\xa2   If the FO or TSC is not available to interview the claimant, the FO or TSC will set\n       up an in-office or telephone interview.\n   \xe2\x80\xa2   During the interview, the Field Office personnel determine if the claimant is\n       eligible for Title XVI benefits. If the claimant does not qualify for Title XVI\n       benefits, the claimant can continue or stop the filing of the application.\n   \xe2\x80\xa2   Claimants that are eligible for Title XVI benefits complete the application form.\n       The field office personnel enter the Title XVI application data into MSSICS.\n   \xe2\x80\xa2   The field office personnel\xe2\x80\x99s review determines the claimant\xe2\x80\x99s effective filing date\n       and verifies the claimant\xe2\x80\x99s identify via the Numident.\n   \xe2\x80\xa2   The field office personnel adjudicate the application.\n   \xe2\x80\xa2   The claims data is sent to the SSI Exception Controls Systems.\n   \xe2\x80\xa2   The Title XVI ODS receives data from the SSI Exception Controls System.\n   \xe2\x80\xa2   The Title XVI Datawarehouse/ SSIPT are updated with the summary data of the\n       processing time of SSI Aged claims.\n   \xe2\x80\xa2   SSA retrieves the indicator results from the SSA Intranet and reports the results\n       on the PAR.\n\n\n\n\nPerformance Indicator Audit: Claims Processing (A-15-05-15114)                             C-6\n\x0c                                                                      Appendix D\n\n   Agency Comments\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\x0c                                         SOCIAL SECURITY\n                                                                                 0509-0002240\nMEMORANDUM                                                                       34314-24-1350\n\nDate:      October 11, 2005                                                      Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report "Performance Indicator Audit: Claims\n           Processing" (A-15-05-15114) -- INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Let me know if we can be of further assistance. Staff inquiries may be directed to Candace\n           Skurnik, Director, Audit Management and Liaison Staff on extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n           Performance Indicator Audit: Continuing Eligibility (A-15-05-15115)                          D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "PERFORMANCE INDICATOR AUDIT: CLAIMS PROCESSING"\n(A-15-05-15114)\n\nThank you for the opportunity to review and comment on the draft report. We acknowledge the\nfindings and intent of the recommendations. We recognize that the objective of the audit was to\nreview the Fiscal Year (FY) 2004 Performance and Accountability Report (PAR). Nonetheless,\nwe believe the report should have noted where SSA has recognized shortcomings and has\nundertaken corrective actions.\n\n\nOur specific responses to the report\'s recommendations are provided below.\n\n\nRecommendation 1\n\nSpecific to the performance indicator, "Number of Initial Disability Claims Pending:" maintain\nthe detailed data used to calculate the performance indicator results that are reported in the PAR.\n\n\nComment\n\n\nWe disagree. Although the report acknowledges system capacity is a compelling factor for not\nmaintaining data for tracing data integrity, the diversion of already limited resources to support\nsuch activity is equally compelling. Satisfying this recommendation would require SSA to\npreserve and maintain, among other things, data transactions, source code, multiple versions of\nsoftware and the operating system in use during the potential audit review period. Staff would\nthen need to be available to reconstruct all this to support an audit. The magnitude of such an\neffort would seriously impede work to implement new information technology supported\nprocesses that support SSA programs and their clients. We have recommended to OIG and PwC\nrepresentatives that they take advantage of real-time auditing, and they agreed to explore such an\noption for subsequent fiscal year audits.\n\n\nMoreover, the data from the Disability Insurance Operational Data Store (DIODS) is used to\ndetermine the number of disability claims pending. Office of Management and Budget\'s (OMB)\nCircular A-11, section 230f states "Performance data need not be perfect to be reliable,\nparticularly if the cost and effort to secure the best performance data will exceed the value of any\ndata so obtained". Therefore, since PwC was able to recalculate the results using summary data\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                            D-2\n\x0cfrom DIODS, we suggest PwC revise their statement in Findings that they could not consider the\ndata reliable.\n\n\nRecommendation 2\n\nSpecific to the performance indicator, "RSI Claims Processed:" clearly articulate a direct linkage\nof the performance indicator to the Agency\'s strategic goals and objectives. If possible, include\nclaims processed from internet or a description of technology investments that support the\nstrategic objective. If this cannot be done, SSA should disclose the reason why this indicator is\nlinked to the relevant strategic goal and objective.\n\n\nComment\n\n\nWe agree. We have enhanced language in the FY 2005 PAR to make this linkage more\napparent.\n\n\nRecommendation 3\n\nSpecific to the performance indicators, "Number of Initial Disability Claims Pending" and "RSI\nClaims Processed:" maintain an audit trail for SSA Claims Control System (SSACCS) that\ncaptures the user ID, terminal, date and time the transaction was processed. Policies and\nprocedures should be implemented requiring a review of the audit trail for inappropriate access\nor processing of transactions.\n\n\nComment\n\n\nWe disagree. SSACCS is only a secondary source for claims processing data. All cases have\nsome Modernized Claims Systems (MCS) involvement (and the attendant audit trail), but in\ncases (approximately 6%) where MCS does not provide all of the data necessary to calculate a\npending or processed count, SSACCS data are used.\n\n\nBecause SSACCS will be phased out, it is not cost-effective to invest resources for enhancing\nthis system to provide the audit trail PwC recommends. Again, we refer to OMB\'s Circular A-11\nguidance in section 230.f, mentioned above.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                          D-3\n\x0cRecommendation 4\n\nSpecific to the performance indicator, "Percent of SSI Aged Claims Processed by the Time the\nFirst Payment is Due or within 14 Days of the Effective Filing Date:" ensure that the Title XVI\nDatawarehouse UNIX system is configured to be in compliance with the SSA Risk Model and\ngovernment guidelines from the National Institute of Standards and Technology (NIST) and the\nDefense Information Security Agency (DISA). Ensure that the Title XVI Datawarehouse Oracle\ndatabase is configured to be in compliance with the SSA Security Handbook. Create a risk\nmodel for the Oracle database that is in compliance with the SSA Security Handbook and\nGovernment guidelines.\n\n\nComment\n\n\nWe agree with the intent of the recommendation, but not its breadth.\n\n\nConcerning PwC\xe2\x80\x99s finding that the T16 Datawarehouse was non-compliant with settings in the\nrisk model, we concur and have already taken corrective action.\n\n\nAlthough SSA reviews NIST and DISA guidelines when updating each operating system Risk\nModel, full adoption of the guidelines would adversely affect the Agency\xe2\x80\x99s ability to conduct its\ncore business under the current Information Technology (IT) environment. Moreover, the\nrecommendations made are frequently not applicable to SSA systems environment because we\ndo not utilize the specific components of the operating system discussed in these documents, or\nbecause SSA is using that component in a manner different than that envisioned by NIST or\nDISA.\n\n\nTherefore, it would be inappropriate for the Agency to state we are in full compliance with these\nguidelines for the reasons stated above. However, the Agency has implemented the guidelines\nwhere they are applicable to our processing environment. We believe our configuration\nmanagement program affords the Agency the best possible protections while also supporting our\ncore business processes.\n\n\nRecommendation 5\n\nSpecific to the performance indicators, "RSI Claims Processed" and "Percent of SSI Aged\nClaims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                          D-4\n\x0cDate:" maintain documentation that describes how the performance indicator goals were\nestablished, document the policies and procedures used to prepare and report the results of the\nperformance indicators, and keep a complete audit trail.\n\n\nComment\n\n\nWe agree. Policies and procedures have been developed and were provided to the auditors. This\nshould be acknowledged in their final report.\n\n\nRecommendation 6\n\nEnsure the "least privileged access" principle is in place for SSA personnel that have the ability\nto directly modify, create or delete the datasets used to calculate the results of this indicator.\n\n\nComment\n\n\nWe agree. SSA is in the midst of reevaluating access rights for all its programmatic and\nadministrative systems. Much progress has been made, and we are pleased to report that the\nsystems SSA identified as the most tempting for high-risk activity have been successfully\nsecured. We continue to address the remaining systems. Both the Integrated Work Management\nSystem and T16 Operational Datastore, specifically noted in this report, have been recently\nevaluated and action has been taken to restrict access and monitor programmers\xe2\x80\x99 interactions\nwith these systems.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                            D-5\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'